[nsp] HSRP problem

Bruce Pinsky bep at whack.org
Thu Dec 11 11:24:47 EST 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Larsen wrote:

| There's also no reason why the virtual IP address (VIP) - or shared HSRP
| address - cannot be the same as one of the physical interface IP addresses.
| That way, you're not using up one extra IP address and you don't end up with
| this routing problem.
|

The routing *problem* as you call it is caused by misconfiguration.  The
virtual address is intended to be in the same subnet as the primary,
secondary, and workstation addresses.  That's the point....it's a default
gateway address for the subnet.  If you put it in another subnet, you must
know how to get to that other subnet, either via a gateway or by
configuring a route that make workstations think that is local to the wire.

Your issue with non-pingablility may be true for VRRP, but we're talking
about HSRP here.  Besides, if you are concerned about monitoring the
router, you should have an IP address assigned to the loopback and be
pinging that (as well as get SNMP traps for events like HSRP changes).

| As a side note, if one uses a non-Cisco router and is configuring VRRP, then
| you will *not* be able to ping the VIP address - this is in accordance with
| RFC 2338.  However, there is an exception to this: if the VIP is the same as
| the physical interface IP address of the *master* router, then you will be
| able to ping the VIP (effectively, you are pinging the physical interface
| IP).  If the master goes down and the standby/backup router becomes master,
| then you will *not* be able to ping the VIP (since it's not the same as the
| master's physical interface IP anymore).
|
| By configuring the VIP to be the same as your master router's physical
| interface IP gives you some useful info during any fault diagnosis: if you
| can ping the VIP, then there's been no switch of master router; if you
| cannot ping the VIP, then the master router has switched over to your
| standby/backup router.
|
| With Cisco's HSRP, you can ping the VIP even though it is a different
| address to the master's physical interface address.
|
| Cheers,
|
| Rob.
|
| -----Original Message-----
| From: cisco-nsp-bounces at puck.nether.net
| [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bruce Pinsky
| Sent: 10 December 2003 21:06
| To: Roger
| Cc: cisco-nsp at puck.nether.net
| Subject: Re: [nsp] HSRP problem
|
|
| Roger wrote:
|
| | Ed Ravin wrote:
| |
| |> Are "shared hsrp address" and "primary ip address x.x.x.x" in the
| |> same subnet?
| |
| | No - seperate subnets.
| |
| |> If not, have you configured routing for the shared HSRP address?
| |>
| |>
| | Ahh - changing the hsrp address to one within the subnet fixed things.
| |
| |> The last time I tried stuff like this, it didn't work unless I used
| |> an HSRP address that was in the same subnet as one of the primary or
| |> secondary addresses on the interface.  What does:
| |>
| |>  show ip route <shared HSRP address>
| |>
| |>
| |>
| | Yes it was pointed to Null 0 - on both active and standby routers-
| | which was fairly strange...
| |
| |> show?
| |>
| |>
| | That is a limitation... when HSRP address have to be in the same
| | subnet..  Now I'm aware of that things will move along quickly!
| |
|
| Well, that is the generally accepted way of doing it.  The point is that the
| HSRP address is a virtual default gateway address for hosts on that subnet.
| Hence, the HSRP address should be part of the subnet for the hosts that need
| to get off the local subnet.  If it were in a different subnet than the
| hosts that need to reach it, they would need a route to the subnet for the
| HSRP address.
|
| However, in looking at your issue, I was successful in using an address is a
| different subnet.  The workstation or router that was trying to ping the
| HSRP address needed to believe that it could ARP on the local wire however.
| ~ That required static route pointing to interface to make it work.  Kinda
| defeats the purpose of HSRP.
|
| R2#sh standby
| Ethernet0/0 - Group 0
| ~  State is Active
| ~    2 state changes, last state change 00:07:48
| ~  Virtual IP address is 132.108.5.2
| ~  Active virtual MAC address is 0000.0c07.ac00
| ~    Local virtual MAC address is 0000.0c07.ac00 (bia)
| ~  Hello time 3 sec, hold time 10 sec
| ~    Next hello sent in 0.008 secs
| ~  Preemption disabled
| ~  Active router is local
| ~  Standby router is unknown
| ~  Priority 100 (default 100)
| ~  IP redundancy name is "hsrp-Et0/0-0" (default)
|
|
| R3#sh ip int bri
| Interface        IP-Address      OK? Method Status                Protocol
| Ethernet0/0      132.108.4.3     YES NVRAM  up                    up
| Ethernet1/0      142.108.10.3    YES NVRAM  up                    up
| Loopback0        3.3.3.3         YES NVRAM  up                    up
| Virtual-Access1  unassigned      YES unset  up                    up
|
| R3#sh ip route static
| ~     132.108.0.0/16 is variably subnetted, 2 subnets, 2 masks
| S       132.108.5.0/24 is directly connected, Ethernet0/0
|
| R3#ping 132.108.5.2
|
| Type escape sequence to abort.
| Sending 5, 100-byte ICMP Echos to 132.108.5.2, timeout is 2 seconds: !!!!!
| Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/32 ms
|
| | Thanks!
| |
| |
|
|
| --
| =========
| bep
|

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQE/2JpPE1XcgMgrtyYRAv2oAJ93Pc4CxjNt3H2JB6R6fzUFt6oRUQCeODsg
KtCDnGH3YTspUsuVYU8GC+g=
=HrNF
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list